<!doctype html>

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml" lang="en-US" >

  <head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    
    <meta name="viewport" content="width=device-width,initial-scale=1">
    

    <link href="https://fonts.googleapis.com/css?family=Titillium+Web:300,400,600,700" rel="stylesheet"> 
    <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">

    <!--INCLUDE SQS SCRIPTS, META TAGS AND USER CONTENT FROM THE CODE INJECTION TAB-->

    <!-- This is Squarespace. --><!-- brian-gorenc -->
<base href="">
<meta charset="utf-8" />
<title>Zero Day Initiative &mdash; TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal</title>
<meta http-equiv="Accept-CH" content="Sec-CH-UA-Platform-Version, Sec-CH-UA-Model" /><link rel="shortcut icon" type="image/x-icon" href="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1487670157237-HOXHMI54TA0SZP21OY7C/favicon.ico"/>
<link rel="canonical" href="https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal"/>
<meta property="og:site_name" content="Zero Day Initiative"/>
<meta property="og:title" content="Zero Day Initiative &mdash; TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal"/>
<meta property="og:latitude" content="40.7207559"/>
<meta property="og:longitude" content="-74.0007613"/>
<meta property="og:locality" content=""/>
<meta property="og:url" content="https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal"/>
<meta property="og:type" content="article"/>
<meta property="og:description" content="Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as  ZDI-CAN-19557/ZDI-23-451 . This bug in the TP-Link Archer AX"/>
<meta property="og:image" content="http://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/58a5b38cb3db2bd67b608658/6442e5e3271eb61594e3150b/1682348596843/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg?format=1500w"/>
<meta property="og:image:width" content="1500"/>
<meta property="og:image:height" content="1000"/>
<meta itemprop="name" content="Zero Day Initiative — TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal"/>
<meta itemprop="url" content="https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal"/>
<meta itemprop="description" content="Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as  ZDI-CAN-19557/ZDI-23-451 . This bug in the TP-Link Archer AX"/>
<meta itemprop="thumbnailUrl" content="http://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/58a5b38cb3db2bd67b608658/6442e5e3271eb61594e3150b/1682348596843/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg?format=1500w"/>
<link rel="image_src" href="http://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/58a5b38cb3db2bd67b608658/6442e5e3271eb61594e3150b/1682348596843/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg?format=1500w" />
<meta itemprop="image" content="http://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/58a5b38cb3db2bd67b608658/6442e5e3271eb61594e3150b/1682348596843/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg?format=1500w"/>
<meta itemprop="author" content="Peter Girnus"/>
<meta itemprop="datePublished" content="2023-04-24T10:03:16-0500"/>
<meta itemprop="dateModified" content="2023-04-24T10:03:16-0500"/>
<meta itemprop="headline" content="TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal"/>
<meta itemprop="publisher" content="Zero Day Initiative"/>
<meta name="twitter:title" content="Zero Day Initiative — TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal"/>
<meta name="twitter:image" content="http://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/58a5b38cb3db2bd67b608658/6442e5e3271eb61594e3150b/1682348596843/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg?format=1500w"/>
<meta name="twitter:url" content="https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal"/>
<meta name="twitter:card" content="summary"/>
<meta name="twitter:description" content="Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as  ZDI-CAN-19557/ZDI-23-451 . This bug in the TP-Link Archer AX"/>
<meta name="description" content="" />
<link rel="preconnect" href="https://images.squarespace-cdn.com">
<link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css2?family=Lato:ital,wght@0,100;0,300;0,400;0,700;1,100;1,300;1,700">
<script type="text/javascript" crossorigin="anonymous" nomodule="nomodule" src="//assets.squarespace.com/@sqs/polyfiller/1.6/legacy.js"></script>
<script type="text/javascript" crossorigin="anonymous" src="//assets.squarespace.com/@sqs/polyfiller/1.6/modern.js"></script>
<script type="text/javascript">SQUARESPACE_ROLLUPS = {};</script>
<script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/extract-css-runtime-095c8f65e6c7981bf30f7-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-extract_css_runtime');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/extract-css-runtime-095c8f65e6c7981bf30f7-min.en-US.js" ></script><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/extract-css-moment-js-vendor-5082e2dab696b020ac83a-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-extract_css_moment_js_vendor');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/extract-css-moment-js-vendor-5082e2dab696b020ac83a-min.en-US.js" ></script><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/cldr-resource-pack-2bb4d8591b254af6d84d7-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-cldr_resource_pack');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/cldr-resource-pack-2bb4d8591b254af6d84d7-min.en-US.js" ></script><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/common-vendors-stable-ded59447778e1491d87fa-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-common_vendors_stable');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/common-vendors-stable-ded59447778e1491d87fa-min.en-US.js" ></script><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/common-vendors-07f66b91fe2dd2147c411-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-common_vendors');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/common-vendors-07f66b91fe2dd2147c411-min.en-US.js" ></script><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/common-9ea51babf782cde6d8c58-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-common');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/common-9ea51babf782cde6d8c58-min.en-US.js" ></script><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squarespace.com/universal/scripts-compressed/performance-2025f97aef666174a4797-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-performance');</script>
<script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/performance-2025f97aef666174a4797-min.en-US.js" defer ></script><script data-name="static-context">Static = window.Static || {}; Static.SQUARESPACE_CONTEXT = {"facebookAppId":"314192535267336","facebookApiVersion":"v6.0","rollups":{"squarespace-announcement-bar":{"js":"//assets.squarespace.com/universal/scripts-compressed/announcement-bar-49c85656ae909e2a3b28c-min.en-US.js"},"squarespace-audio-player":{"css":"//assets.squarespace.com/universal/styles-compressed/audio-player-702bf18174efe0acaa8ce-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/audio-player-0b7f3d83778d476053763-min.en-US.js"},"squarespace-blog-collection-list":{"css":"//assets.squarespace.com/universal/styles-compressed/blog-collection-list-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/blog-collection-list-94d73863f597285f58c6a-min.en-US.js"},"squarespace-calendar-block-renderer":{"css":"//assets.squarespace.com/universal/styles-compressed/calendar-block-renderer-49c4a5f3dae67a728e3f4-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/calendar-block-renderer-05459163191cfacdf85b3-min.en-US.js"},"squarespace-chartjs-helpers":{"css":"//assets.squarespace.com/universal/styles-compressed/chartjs-helpers-53c004ac7d4bde1c92e38-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/chartjs-helpers-db2c540e25f886657d1b5-min.en-US.js"},"squarespace-comments":{"css":"//assets.squarespace.com/universal/styles-compressed/comments-cb7553e34a4da425817c4-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/comments-25e9b64885c726ad47b2c-min.en-US.js"},"squarespace-dialog":{"css":"//assets.squarespace.com/universal/styles-compressed/dialog-89b254b5c87045b9e1360-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/dialog-f5dc58527a1c7c2bc0bc7-min.en-US.js"},"squarespace-events-collection":{"css":"//assets.squarespace.com/universal/styles-compressed/events-collection-49c4a5f3dae67a728e3f4-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/events-collection-6e55ee90219c363b02b41-min.en-US.js"},"squarespace-form-rendering-utils":{"js":"//assets.squarespace.com/universal/scripts-compressed/form-rendering-utils-908aa8443ec11c5828dd6-min.en-US.js"},"squarespace-forms":{"css":"//assets.squarespace.com/universal/styles-compressed/forms-4a16a8a8c965386db2173-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/forms-f546376eaecad3cda5eeb-min.en-US.js"},"squarespace-gallery-collection-list":{"css":"//assets.squarespace.com/universal/styles-compressed/gallery-collection-list-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/gallery-collection-list-80bfda88034d1e2f95767-min.en-US.js"},"squarespace-image-zoom":{"css":"//assets.squarespace.com/universal/styles-compressed/image-zoom-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/image-zoom-b56ca0b7347a780ce9521-min.en-US.js"},"squarespace-pinterest":{"css":"//assets.squarespace.com/universal/styles-compressed/pinterest-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/pinterest-64719eb1c8e96feb0952d-min.en-US.js"},"squarespace-popup-overlay":{"css":"//assets.squarespace.com/universal/styles-compressed/popup-overlay-948192219c3257f767ec5-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/popup-overlay-ff954978d4db6dac96469-min.en-US.js"},"squarespace-product-quick-view":{"css":"//assets.squarespace.com/universal/styles-compressed/product-quick-view-4a16a8a8c965386db2173-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/product-quick-view-d7ea8b869bc427b65f9b4-min.en-US.js"},"squarespace-products-collection-item-v2":{"css":"//assets.squarespace.com/universal/styles-compressed/products-collection-item-v2-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/products-collection-item-v2-7e2b08b3da20d55eb92fe-min.en-US.js"},"squarespace-products-collection-list-v2":{"css":"//assets.squarespace.com/universal/styles-compressed/products-collection-list-v2-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/products-collection-list-v2-239ed1ac3377d9ad03fd6-min.en-US.js"},"squarespace-search-page":{"css":"//assets.squarespace.com/universal/styles-compressed/search-page-9d0a55de1efafbb9218e1-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/search-page-59196f24549836748c915-min.en-US.js"},"squarespace-search-preview":{"js":"//assets.squarespace.com/universal/scripts-compressed/search-preview-fd68f62b9fd1118758174-min.en-US.js"},"squarespace-simple-liking":{"css":"//assets.squarespace.com/universal/styles-compressed/simple-liking-ef94529873378652e6e86-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/simple-liking-fdae2d43d38af1cfe236b-min.en-US.js"},"squarespace-social-buttons":{"css":"//assets.squarespace.com/universal/styles-compressed/social-buttons-1f18e025ea682ade6293a-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/social-buttons-c3728006cef46b677b94c-min.en-US.js"},"squarespace-tourdates":{"css":"//assets.squarespace.com/universal/styles-compressed/tourdates-3d55c64c25996c7633fc2-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/tourdates-19f7e88118174ed4a18b8-min.en-US.js"},"squarespace-website-overlays-manager":{"css":"//assets.squarespace.com/universal/styles-compressed/website-overlays-manager-7cecc648f858e6f692130-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/website-overlays-manager-2d106cd8eed75046323ab-min.en-US.js"}},"pageType":50,"website":{"id":"5894c269e4fcb5e65a1ed623","identifier":"brian-gorenc","websiteType":1,"contentModifiedOn":1683313424306,"cloneable":false,"hasBeenCloneable":false,"developerMode":true,"siteStatus":{},"language":"en-US","timeZone":"America/Chicago","machineTimeZoneOffset":-18000000,"timeZoneOffset":-18000000,"timeZoneAbbr":"CDT","siteTitle":"Zero Day Initiative","fullSiteTitle":"Zero Day Initiative \u2014 TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal","siteDescription":"","shareButtonOptions":{"2":true,"6":true,"3":true,"4":true,"1":true},"authenticUrl":"https://www.thezdi.com","internalUrl":"https://brian-gorenc.squarespace.com","baseUrl":"https://www.thezdi.com","primaryDomain":"www.thezdi.com","sslSetting":3,"socialAccounts":[{"serviceId":4,"userId":"86973588","userName":"thezdi","screenname":"Zero Day Initiative","addedOn":1492718968086,"profileUrl":"https://twitter.com/thezdi","iconUrl":"http://pbs.twimg.com/profile_images/626740860508442632/dC1lsJPl_normal.png","collectionId":"58f91578e58c6231c1daf261","iconEnabled":true,"serviceName":"twitter"},{"serviceId":11,"userId":"UChbH7B5YhXANmlMYJRHpw0g","screenname":"TippingPoint Zero Day Initiative","addedOn":1492722141068,"profileUrl":"https://www.youtube.com/channel/UChbH7B5YhXANmlMYJRHpw0g","iconUrl":"https://yt3.ggpht.com/-5tyoeQlg_Jk/AAAAAAAAAAI/AAAAAAAAAAA/lrjg7w8bQgA/s88-c-k-no-mo-rj-c0xffffff/photo.jpg","iconEnabled":true,"serviceName":"youtube"}],"typekitId":"","statsMigrated":false,"imageMetadataProcessingEnabled":false,"screenshotId":"a0a901f81f08cc6c7c9e5108d43c513fa4847e74de2b39c335909e3f8dd88d34","showOwnerLogin":false},"websiteSettings":{"id":"5894c269e4fcb5e65a1ed625","websiteId":"5894c269e4fcb5e65a1ed623","subjects":[],"country":"US","state":"TX","simpleLikingEnabled":true,"mobileInfoBarSettings":{"isContactEmailEnabled":false,"isContactPhoneNumberEnabled":false,"isLocationEnabled":false,"isBusinessHoursEnabled":false},"commentLikesAllowed":true,"commentAnonAllowed":true,"commentThreaded":true,"commentApprovalRequired":false,"commentAvatarsOn":true,"commentSortType":2,"commentFlagThreshold":0,"commentFlagsAllowed":true,"commentEnableByDefault":true,"commentDisableAfterDaysDefault":0,"disqusShortname":"","commentsEnabled":false,"contactPhoneNumber":"","storeSettings":{"returnPolicy":null,"termsOfService":null,"privacyPolicy":null,"expressCheckout":false,"continueShoppingLinkUrl":"/","useLightCart":false,"showNoteField":false,"shippingCountryDefaultValue":"US","billToShippingDefaultValue":false,"showShippingPhoneNumber":true,"isShippingPhoneRequired":false,"showBillingPhoneNumber":true,"isBillingPhoneRequired":false,"currenciesSupported":["CHF","HKD","MXN","EUR","DKK","USD","CAD","MYR","NOK","THB","AUD","SGD","ILS","PLN","GBP","CZK","SEK","NZD","PHP","RUB"],"defaultCurrency":"USD","selectedCurrency":"USD","measurementStandard":1,"showCustomCheckoutForm":false,"checkoutPageMarketingOptInEnabled":false,"enableMailingListOptInByDefault":false,"sameAsRetailLocation":false,"merchandisingSettings":{"scarcityEnabledOnProductItems":false,"scarcityEnabledOnProductBlocks":false,"scarcityMessageType":"DEFAULT_SCARCITY_MESSAGE","scarcityThreshold":10,"multipleQuantityAllowedForServices":true,"restockNotificationsEnabled":false,"restockNotificationsMailingListSignUpEnabled":false,"relatedProductsEnabled":false,"relatedProductsOrdering":"random","soldOutVariantsDropdownDisabled":false,"productComposerOptedIn":false,"productComposerABTestOptedOut":false,"productReviewsEnabled":false,"displayImportedProductReviewsEnabled":false,"hasOptedToCollectNativeReviews":false},"isLive":false,"multipleQuantityAllowedForServices":true},"useEscapeKeyToLogin":true,"ssBadgeType":1,"ssBadgePosition":4,"ssBadgeVisibility":1,"ssBadgeDevices":1,"pinterestOverlayOptions":{"mode":"disabled"},"ampEnabled":false},"cookieSettings":{"isCookieBannerEnabled":false,"isRestrictiveCookiePolicyEnabled":false,"isRestrictiveCookiePolicyAbsolute":false,"cookieBannerText":"","cookieBannerTheme":"","cookieBannerVariant":"","cookieBannerPosition":"","cookieBannerCtaVariant":"","cookieBannerCtaText":"","cookieBannerAcceptType":"OPT_IN","cookieBannerOptOutCtaText":""},"websiteCloneable":false,"collection":{"title":"Blog","id":"58a5b38cb3db2bd67b608658","fullUrl":"/blog","type":1,"permissionType":1},"item":{"title":"TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal","id":"6442e5e3271eb61594e3150b","fullUrl":"/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal","publicCommentCount":0,"commentState":2,"recordType":1},"subscribed":false,"appDomain":"squarespace.com","templateTweakable":false,"tweakJSON":{"aspect-ratio":"Auto","gallery-arrow-style":"No Background","gallery-aspect-ratio":"3:2 Standard","gallery-auto-crop":"true","gallery-autoplay":"false","gallery-design":"Slideshow","gallery-info-overlay":"Show on Hover","gallery-loop":"false","gallery-navigation":"Bullets","gallery-show-arrows":"true","gallery-transitions":"Fade","galleryArrowBackground":"rgba(34,34,34,1)","galleryArrowColor":"rgba(255,255,255,1)","galleryAutoplaySpeed":"3","galleryCircleColor":"rgba(255,255,255,1)","galleryInfoBackground":"rgba(0, 0, 0, .7)","galleryThumbnailSize":"100px","gridSize":"350px","gridSpacing":"20px","product-gallery-auto-crop":"true","product-image-auto-crop":"true","tweak-v1-related-products-title-spacing":"50px"},"templateId":"58a5cc48579fb3f464465a0c","templateVersion":"7","pageFeatures":[1,2,4],"gmRenderKey":"QUl6YVN5Q0JUUk9xNkx1dkZfSUUxcjQ2LVQ0QWVUU1YtMGQ3bXk4","templateScriptsRootUrl":"https://static1.squarespace.com/static/ta/5894c269e4fcb5e65a1ed623/45/scripts/","betaFeatureFlags":["customer_account_creation_recaptcha","campaigns_asset_picker","commerce_etsy_shipping_import","campaigns_new_image_layout_picker","crm_default_newsletter_block_to_campaigns","order_status_page_checkout_landing_enabled","campaigns_thumbnail_layout","campaigns_global_uc_ab","member_areas_spanish_interviews","nested_categories_migration_enabled","customer_accounts_email_verification","campaigns_import_discounts","visitor_react_forms","member_areas_provisioning_service","commerce_order_status_access","is_feature_gate_refresh_enabled","crm_enable_recaptcha_v3_enterprise","campaigns_content_editing_survey","crm_retention_segment","campaigns_discount_section_in_automations","crm_remove_subscriber","crm_waitlist_enforce_recaptcha_v3_enterprise","fluid_engine_clean_up_grid_contextual_change","campaigns_show_featured_templates","crm_enforce_recaptcha_v3_enterprise","viewer-role-contributor-invites","campaigns_discount_section_in_blasts","scripts_defer","commerce_clearpay","commerce_etsy_product_import","site_user_email_change","commerce_restock_notifications","member_areas_schedule_interview","send_local_pickup_ready_email","multilingual_transactional_emails","marketing_landing_page","background_art_onboarding","fluid_engine","commerce_site_visitor_metrics","accounting_orders_sync"],"videoAssetsFeatureFlags":["mux-data-video-collection","mux-data-video-block","mux-data-course-collection"],"impersonatedSession":false,"tzData":{"zones":[[-360,"US","C%sT",null]],"rules":{"US":[[1967,2006,null,"Oct","lastSun","2:00","0","S"],[1987,2006,null,"Apr","Sun>=1","2:00","1:00","D"],[2007,"max",null,"Mar","Sun>=8","2:00","1:00","D"],[2007,"max",null,"Nov","Sun>=1","2:00","0","S"]]}},"showAnnouncementBar":false,"recaptchaEnterpriseContext":{"recaptchaEnterpriseSiteKey":"6LdDFQwjAAAAAPigEvvPgEVbb7QBm-TkVJdDTlAv"},"i18nContext":{"timeZoneData":{"id":"America/Chicago","name":"Central Time"}}};</script><script>SquarespaceFonts.loadViaContext(); Squarespace.load(window);</script>
<link rel="alternate" type="application/rss+xml" title="RSS Feed" href="https://www.thezdi.com/blog?format=rss" />
<script type="application/ld+json">{"url":"https://www.thezdi.com","name":"Zero Day Initiative","description":"","@context":"http://schema.org","@type":"WebSite"}</script><script type="application/ld+json">{"name":"Zero Day Initiative \u2014 TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal","url":"https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal","datePublished":"2023-04-24T10:03:16-0500","dateModified":"2023-04-24T10:03:16-0500","headline":"TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal","author":"Peter Girnus","publisher":{"name":"Zero Day Initiative","logo":{"@type":"ImageObject"},"@context":"http://schema.org","@type":"Organization"},"image":"http://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/58a5b38cb3db2bd67b608658/6442e5e3271eb61594e3150b/1682348596843/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg?format=1500w","@context":"http://schema.org","@type":"Article"}</script><link rel="stylesheet" type="text/css" href="https://static1.squarespace.com/static/sitecss/5894c269e4fcb5e65a1ed623/43/58a5cc48579fb3f464465a0c/58a5cc48579fb3f464465a0e/45/site.css"/><script>
if (window.location.host == "www.thezdi.com") {window.location = "https://www.zerodayinitiative.com" + window.location.pathname}</script><script>Static.COOKIE_BANNER_CAPABLE = true;</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-93169700-1"></script><script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}gtag('js', new Date());gtag('set', 'developer_id.dZjQwMz', true);gtag('config', 'UA-93169700-1');</script><!-- End of Squarespace Headers -->
    <link rel="stylesheet" href="https://www.zerodayinitiative.com/css/main.css">


  </head>

  <body id="item-6442e5e3271eb61594e3150b" class="event-show-past-events event-thumbnails event-thumbnail-size-32-standard event-date-label  event-list-show-cats event-list-date event-list-time event-list-address   event-icalgcal-links  event-excerpts      gallery-design-slideshow aspect-ratio-auto lightbox-style-dark gallery-navigation-bullets gallery-info-overlay-show-on-hover gallery-aspect-ratio-32-standard gallery-arrow-style-no-background gallery-transitions-fade gallery-show-arrows gallery-auto-crop   product-list-titles-under product-list-alignment-left product-item-size-11-square product-image-auto-crop product-gallery-size-11-square product-gallery-auto-crop show-product-price show-product-item-nav product-social-sharing tweak-v1-related-products-image-aspect-ratio-11-square tweak-v1-related-products-details-alignment-center newsletter-style-dark hide-opentable-icons opentable-style-dark small-button-style-solid small-button-shape-square medium-button-style-solid medium-button-shape-square large-button-style-solid large-button-shape-square image-block-poster-text-alignment-center image-block-card-dynamic-font-sizing image-block-card-content-position-center image-block-card-text-alignment-left image-block-overlap-dynamic-font-sizing image-block-overlap-content-position-center image-block-overlap-text-alignment-left image-block-collage-dynamic-font-sizing image-block-collage-content-position-top image-block-collage-text-alignment-left image-block-stack-dynamic-font-sizing image-block-stack-text-alignment-left button-style-solid button-corner-style-square tweak-product-quick-view-button-style-floating tweak-product-quick-view-button-position-bottom tweak-product-quick-view-lightbox-excerpt-display-truncate tweak-product-quick-view-lightbox-show-arrows tweak-product-quick-view-lightbox-show-close-button tweak-product-quick-view-lightbox-controls-weight-light native-currency-code-usd collection-58a5b38cb3db2bd67b608658 view-item collection-type-blog collection-layout-default mobile-style-available">

    <div id="outerWrapper">

      <div id="bgOverlay"></div>

      <!--HEADER-->

      <header id="header">

        <!--MAIN NAVIGATION-->
            <!-- Begin Off Canvas Menu-->
    <div class="off-canvas">
        <nav class="off-canvas__list" role="main-navigation2">
            <div class="js-mobile-nav-toggle">Menu</div>
            <ul class="topMenu">
                <li class="nav__tier1"><a href="https://www.trendmicro.com/privacy">PRIVACY</a></li>
                <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/about">WHO WE ARE</a></li>
                <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/about/benefits">HOW IT WORKS</a></li>
                <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/blog">BLOG</a></li>
                <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/advisories">ADVISORIES</a></li>
                <li class="nav__tier1"><a class="sign-in" href="https://www.zerodayinitiative.com/portal">LOG IN</a></li>
                <li class="nav__tier1"><a class="sign-in" href="https://www.zerodayinitiative.com/portal/register">SIGN UP</a></li>
            </ul>
            <ul class="bottomMenu">
                <li class="nav__tier1 logo"><a href="https://www.zerodayinitiative.com/"><img src="https://www.zerodayinitiative.com/images/logo.svg" width="125" height="37" alt="thezdi"/></a></li>
                <li class="nav__tier1"><a href="https://www.trendmicro.com/">Trend Micro</a></li>
            </ul>
        </nav>
    </div>
    <!-- End Off Canvas Menu -->
            <div id="nav" class="group">
        <div id="navContent">
            <div class="nav__container">
                <div class="nav__header">
                    <div class="global-header__logo">
                        <a href="https://www.zerodayinitiative.com/"><img src="https://www.zerodayinitiative.com/images/logo.svg" alt="thezdi"/></a>
                    </div>
                    <div id="mobileNavIcon" class="js-mobile-nav-toggle">Menu</div>
                    <div id="mobileOverlay"></div>
                </div>
                <nav class="nav__list" role="main-navigation">
                    <ul class="list-no-bullets">
                        <li class="nav__tier1"><a href="https://www.trendmicro.com/privacy">PRIVACY</a></li>
                        <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/about">WHO WE ARE</a></li>
                        <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/about/benefits">HOW IT WORKS</a></li>
                        <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/blog">BLOG</a></li>
                        <li class="nav__tier1"><a href="https://www.zerodayinitiative.com/advisories">ADVISORIES</a></li>
                        <li class="nav__tier1 userActions">
                            <a href="https://www.zerodayinitiative.com/portal/">LOG IN</a>
                            <a href="https://www.zerodayinitiative.com/portal/register">SIGN UP</a>
                            </li><li>
                        </li>
                    </ul>
                </nav>
            </div>
        </div>
    </div>


      </header>

      <!--SITE TITLE OR LOGO-->
      <div id="innerWrapper">

      <!--CONTENT INJECTION POINT-->
        <section id="content">
          <div class="main-content-wrapper cf" data-content-field="main-content">
            <!-- CATEGORY NAV -->
            
            <div id="mainContent" class="blogDetails group subscribeAbs">
    <div id="imageMasthead" class="smaller">
        <div class="content">
            
                <h1 class="title" data-content-field="title">
                  
                    TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
                  
                </h1>
                <data>April 24, 2023  |  Peter Girnus</data>
            
        </div>
    </div>

    <div class="blog-listing blog-details">
        <div class="subscribe-container">
            <a href="https://www.zerodayinitiative.com/rss/" class="btn subscribe rounded">SUBSCRIBE</a>
        </div>
        <div class="section">
            <div class="contentBlock">
                <div class="contentBlockCopy">
                    
                      <div class="group">
                        <div class="sqs-layout sqs-grid-12 columns-12" data-layout-label="Post Body" data-type="item" data-updated-on="1682105903157" id="item-6442e5e3271eb61594e3150b"><div class="row sqs-row"><div class="col sqs-col-12 span-12"><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-b3f1ef7c1cd87850f96a"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;">Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as <a href="https://www.zerodayinitiative.com/advisories/ZDI-23-451/" target="_blank">ZDI-CAN-19557/ZDI-23-451</a>. This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their <a href="https://www.zerodayinitiative.com/blog/2022/12/7/pwn2own-toronto-2022-day-two-results" target="_blank">LAN-side</a> entry against the TP-Link device and by Qrious Security in their <a href="https://www.zerodayinitiative.com/blog/2022/12/5/pwn2own-toronto-2022-day-one-results" target="_blank">WAN-side</a> entry.&nbsp; </p><p class="" style="white-space:pre-wrap;">Both teams’ entries were successful at the contest, and the vulnerabilities were disclosed to the vendor. Interestingly, the bug was also used by the Tenable team in their unsuccessful Pwn2Own attempt against the device. They, too, disclosed the bug to TP-Link, but their <a href="https://www.tenable.com/security/research/tra-2023-11">public</a> report did not show that&nbsp;the bug could be exploited on the WAN interface. TP-Link released a firmware <a href="https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware">update</a> in March that “Fixed some security issues” – including this and other CVEs. It was after this fix was made public that exploit attempts using this CVE were detected in the wild.</p><p class="" style="white-space:pre-wrap;"><strong>Vulnerability Details</strong>&nbsp;</p>
</div>



</div></div><div class="sqs-block markdown-block sqs-block-markdown" data-block-type="44" id="block-yui_3_17_2_1_1681920369801_391830"><div class="sqs-block-content"><p>The bug itself is an unauthenticated command injection vulnerability in the <code>locale</code> API available via the web management interface. This endpoint allows a user to specify the form we want to call by specifying the query string <code>form</code> along with an operation, which is usually <code>read</code> or <code>write</code>. In this instance, we are interested in the <code>write</code> operation on the <code>country</code> form, which is handled by the <code>set_country</code> function. This function will call <code>merge_config_by_country</code> that concatenates the specified <code>country</code> field into a command string. This command string will be executed using the <code>popen</code> function. There is no sanitization of the <code>country</code> field, so an attacker can achieve command injection at this point.</p>
<p>This functionality is exposed on the LAN side of the router, as evidenced by both Team Viettel and Tenable targeting this functionality at the contest. However, the team from Qrious Security was able to exploit this vulnerability on the WAN interface of the router. They discovered a race condition issue related to <code>iptable</code> handling on the TP-Link’s WAN-side processing that would briefly expose this functionality on the WAN-side. This allowed them to chain the race condition weakness with the <code>locale</code> API command injection to gain code execution at the contest. According to TP-Link, both issues were resolved in the patch released on March 17. </p>
<p><b data-preserve-html-node="true">Active Exploitation Details</b></p>
<p>Starting on April 11th, we began seeing notifications from our telemetry system that a threat actor had started to publicly exploit this vulnerability. You can see an example of the attack here:</p>

</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_393696"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:2002px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:32.36763000488281%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/66df2b77-1302-4f4f-8fe6-a322a9972731/mirai-post-request.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/66df2b77-1302-4f4f-8fe6-a322a9972731/mirai-post-request.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/66df2b77-1302-4f4f-8fe6-a322a9972731/mirai-post-request.jpg" data-image-dimensions="2002x648" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64444ed5a4c2fd7092719cec" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-yui_3_17_2_1_1681920369801_394918"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;">Most of the initial activity was seen attacking devices in Eastern Europe, but we are now observing detections in other locations around the globe. </p><p class="" style="white-space:pre-wrap;"><strong><em>Mirai Payloads</em></strong></p><p class="" style="white-space:pre-wrap;">In this version of Mirai, the attackers utilize CVE-2023-1389 to make an HTTP request to the Mirai command and control (C2) servers to download and execute a series of binary payloads. These binary payloads are intended for various system architectures. This is one such request:</p>
</div>



</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_395552"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:1574px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:40.025413513183594%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/d2685859-9cce-4ec7-be49-c0680e6d161b/mirai-payload-downloads.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/d2685859-9cce-4ec7-be49-c0680e6d161b/mirai-payload-downloads.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/d2685859-9cce-4ec7-be49-c0680e6d161b/mirai-payload-downloads.jpg" data-image-dimensions="1574x630" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64444f0abcca8c1c943594cf" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-yui_3_17_2_1_1681920369801_396756"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;">The binary payloads are downloaded and then executed using brute-force methodology to find the appropriate payload for the target system architecture.</p>
</div>



</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_397232"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:1934px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:16.85625648498535%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/e7cf1fc0-eaf1-4374-8237-1812ae176bda/mirai-payload-download-install.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/e7cf1fc0-eaf1-4374-8237-1812ae176bda/mirai-payload-download-install.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/e7cf1fc0-eaf1-4374-8237-1812ae176bda/mirai-payload-download-install.jpg" data-image-dimensions="1934x326" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64444f2d2c9e8f380640fbbe" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-yui_3_17_2_1_1681920369801_398433"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;">Once the appropriate binary is found and the payload is installed, the host becomes fully infected and establishes a connection with the Mirai C2. Here’s a network trace showing this connection:</p>
</div>



</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_398861"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:752px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:26.06382942199707%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/5e4e8ab4-8fef-4c1e-adc4-f64022702607/NetworkTrace.png" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/5e4e8ab4-8fef-4c1e-adc4-f64022702607/NetworkTrace.png" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/5e4e8ab4-8fef-4c1e-adc4-f64022702607/NetworkTrace.png" data-image-dimensions="752x196" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64444fc2b949a91856339f94" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block markdown-block sqs-block-markdown" data-block-type="44" id="block-yui_3_17_2_1_1681920369801_413704"><div class="sqs-block-content"><p>While analyzing some of the payloads, we determined that the threat actors are encrypting strings using <code>0x00</code> and <code>0x22</code> as XOR keys. Unencrypting these strings revealed some of the capabilities and configuration details that correspond with known Mirai indicators.</p>

</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_414566"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:1954px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:43.29580307006836%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/28c75f36-bf56-43bc-b1f3-29703635c597/mirai-xor-config-plaintext.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/28c75f36-bf56-43bc-b1f3-29703635c597/mirai-xor-config-plaintext.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/28c75f36-bf56-43bc-b1f3-29703635c597/mirai-xor-config-plaintext.jpg" data-image-dimensions="1954x846" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64444fe995e28d410bb79632" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-yui_3_17_2_1_1681920369801_415759"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;">Part of the plaintext configuration reveals the Mirai bot attack functions, which can be found in Mirai’s <a href="https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/" target="_blank">source code</a>. For example:</p>
</div>



</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_416547"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:1066px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:17.636022567749023%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/34ffa0b3-cd10-4a7b-afad-c1af901ab190/mirai-source-code-attack-config.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/34ffa0b3-cd10-4a7b-afad-c1af901ab190/mirai-source-code-attack-config.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/34ffa0b3-cd10-4a7b-afad-c1af901ab190/mirai-source-code-attack-config.jpg" data-image-dimensions="1066x188" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64445027714c9b7e55116268" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-yui_3_17_2_1_1681920369801_417748"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;">Among the interesting functions is a <strong>TSource Engine Query</strong> attack functionality. This can be used to launch a Valve Source Engine (VSE) distributed denial-of-service (DDoS) attack against game servers.</p>
</div>



</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_418163"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:1954px;"
        >
          
        
        

        
          
            
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:43.29580307006836%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/f3f5e702-c457-40af-a9a8-2e9f156a5591/mirai-attack-strings-config.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/f3f5e702-c457-40af-a9a8-2e9f156a5591/mirai-attack-strings-config.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/f3f5e702-c457-40af-a9a8-2e9f156a5591/mirai-attack-strings-config.jpg" data-image-dimensions="1954x846" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="64445048d8599e6b5cf5da8e" data-type="image" />
                
            </div>
          </div>
        
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block markdown-block sqs-block-markdown" data-block-type="44" id="block-yui_3_17_2_1_1681920369801_419286"><div class="sqs-block-content"><p>The unencrypted strings reveal further configuration details about this Mirai bot. These include specific User-Agent strings and server headers, such as <code>cloudflare-nginx</code> and <code>dosarrest</code>. These allow the bot to imitate legitimate traffic, making it more difficult to separate DDoS traffic from legitimate network traffic.</p>

</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_420033"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:1934px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:43.536712646484375%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/03fe2c5b-4a62-4ed4-bf17-9ce83435c088/mirai-http-config.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/03fe2c5b-4a62-4ed4-bf17-9ce83435c088/mirai-http-config.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/03fe2c5b-4a62-4ed4-bf17-9ce83435c088/mirai-http-config.jpg" data-image-dimensions="1934x842" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="6444506be29f3d6c2418e72f" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block image-block sqs-block-image" data-block-type="5" id="block-yui_3_17_2_1_1681920369801_421216"><div class="sqs-block-content">






























  

    
  
    <div
        class="
          image-block-outer-wrapper
          layout-caption-hidden
          design-layout-inline
          combination-animation-none
          individual-animation-none
          individual-text-animation-none
        "
        data-test="image-block-inline-outer-wrapper"
    >

      

      
        <figure
            class="
              sqs-block-image-figure
              intrinsic
            "
            style="max-width:2380px;"
        >
          
        
        

        
          
            <button
                class="
                  sqs-block-image-button
                  lightbox
                  
          
        
                "
                data-description=""
                data-lightbox-theme="dark"
            >
              <span class="v6-visually-hidden">View fullsize</span>
              
          <div
              
              
              class="image-block-wrapper"
              data-animation-role="image"
              
  

          >
            <div class="sqs-image-shape-container-element
              
          
        
              has-aspect-ratio
            " style="
                position: relative;
                
                  padding-bottom:38.57143020629883%;
                
                overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
              "
              >
                
                  <noscript><img src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/a7cbf484-39b7-4363-8eee-9cf0fd1890e8/mirai-source-code-config.jpg" alt="" /></noscript><img class="thumb-image" data-src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/a7cbf484-39b7-4363-8eee-9cf0fd1890e8/mirai-source-code-config.jpg" data-image="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/a7cbf484-39b7-4363-8eee-9cf0fd1890e8/mirai-source-code-config.jpg" data-image-dimensions="2380x918" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="644450832c9e8f38064123d9" data-type="image" />
                
            </div>
          </div>
        
            </button>
          
        

        
      
        </figure>
      

    </div>
  


  


</div></div><div class="sqs-block markdown-block sqs-block-markdown" data-block-type="44" id="block-yui_3_17_2_1_1681920369801_422393"><div class="sqs-block-content"><p><b data-preserve-html-node="true">Indicators of compromise</b></p>
<p>The following hashes and other data were detected as being used by this exploit:<br><i data-preserve-html-node="true">Initial Downloader</i><br><code>888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8</code></p>
<p><i data-preserve-html-node="true">Payloads</i><br><code>b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c</code><br><code>b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3</code><br><code>366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6</code><br><code>413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2</code><br><code>2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599</code><br><code>4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0</code><br><code>461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d</code><br><code>aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777</code><br><code>0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915</code><br><code>eca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19</code><br><code>3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d</code><br><code>aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089</code><br><code>4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b</code></p>
<p><i data-preserve-html-node="true">URLs</i><br><code>http[://]185[.]225[.]74[.]251/armv4l</code><br><code>http[://]185[.]225[.]74[.]251/armv5l</code><br><code>http[://]185[.]225[.]74[.]251/armv6l</code><br><code>http[://]185[.]225[.]74[.]251/armv7l</code><br><code>http[://]185[.]225[.]74[.]251/mips</code><br><code>http[://]185[.]225[.]74[.]251/mipsel</code><br><code>http[://]185[.]225[.]74[.]251/sh4</code><br><code>http[://]185[.]225[.]74[.]251/x86_64</code><br><code>http[://]185[.]225[.]74[.]251/i686</code><br><code>http[://]185[.]225[.]74[.]251/i586</code><br><code>http[://]185[.]225[.]74[.]251/arc</code><br><code>http[://]185[.]225[.]74[.]251/m68k</code><br><code>http[://]185[.]225[.]74[.]251/sparc</code>  </p>
<p><i data-preserve-html-node="true">Domain</i><br><code>zvub[.]us</code></p>
<p><i data-preserve-html-node="true">IP Address</i><br><code>185[.]225[.]74[.]251</code></p>

</div></div><div class="sqs-block html-block sqs-block-html" data-block-type="2" id="block-yui_3_17_2_1_1681920369801_484993"><div class="sqs-block-content">

<div class="sqs-html-content">
  <p class="" style="white-space:pre-wrap;"><strong>Conclusion</strong></p><p class="" style="white-space:pre-wrap;">Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing “time-to-exploit" speed that we continue to see across the industry. That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in an enterprise. Looking back at this CVE, it was also interesting to see it being discovered independently by multiple teams in preparation for the Pwn2Own Toronto contest. Each team used different techniques to discover this vulnerability along with distinctive approaches to how they went about exploiting it. We would like to thank all the teams at the Pwn2Own contest for finding and disclosing these critical-class issues. It truly demonstrates the value of the contest, especially in the realm of home and small office devices. Finally, we would like to acknowledge the efforts TP-Link exhibited in developing and deploying a patch. Applying this patch is the only recommended action to address this vulnerability, and we recommend all users of the TP-Link Archer AX21 Wi-Fi router apply it as soon as possible.</p><p class="" style="white-space:pre-wrap;">Our threat hunting team continues to seek and find exploits being used in the wild, and we’ll publish details on some of these discoveries in the future. Until then, follow the team on <a href="https://www.twitter.com/thezdi" target="_blank">Twitter</a>, <a href="https://infosec.exchange/@thezdi" target="_blank">Mastodon</a>, <a href="https://www.linkedin.com/company/zerodayinitiative" target="_blank">LinkedIn</a>, or <a href="https://www.instagram.com/thezdi" target="_blank">Instagram</a> for the latest in exploit techniques and security patches.</p>
</div>



</div></div></div></div></div>
                      </div>

                       
                        <ul class="blog-tags">
                          
                            <!--TAGS-->
                            
                              <li><a class="tag" href="/blog?tag=TPLink">TPLink</a></li>
                            
                              <li><a class="tag" href="/blog?tag=Pwn2Own">Pwn2Own</a></li>
                            
                              <li><a class="tag" href="/blog?tag=Exploit">Exploit</a></li>
                            
                              <li><a class="tag" href="/blog?tag=Threat+Hunting">Threat Hunting</a>
                          
                        </ul>
                      
                   
                    
                </div>
                <div class="contentBlockImage">
                    <div class="blog-actions">
                        <a href="/blog" class="btn mediumButton back-btn">BACK TO THE BLOG</a>
                        <ul class="social-share">
                            <a class="icon-heart" title="Like this">
  <span class="sqs-simple-like" data-item-id="" data-like-count="">
    <span class="like-icon"></span>
    <span class="like-count"></span>
  </span>
</a>
                            <a class="icon-share" title="Share"><span class="squarespace-social-buttons inline-style" data-system-data-id="" data-asset-url="" data-record-type="" data-full-url="" data-title=""></span></a>

                            <!-- <li><a href="#" class="twitter-share"><img src="/assets/twitterIcon.svg" alt="Twitter" /></a></li>
                            <li><a href="#" class="facebook-share"><img src="/assets/facebookIcon.svg" alt="Facebook" /></a></li>
                            <li><a href="#" class="linkedin-share"><img src="/assets/linkedinIcon.svg" alt="Linkedin" /></a></li> -->
                        </ul>
                    </div>  
                </div>
            </div><!-- /. contentBlock -->
        </div>

        <div class="section blog-listing-details">
            <div class="threeCols">

                <!-- get recent blog post -->
                  

                      <div class="column">
                        <div class="content">
                          <div class="thumb">
                              
                                
                                    <a href="/blog/2023/5/8/the-may-2023-security-update-review"  style="background: url('https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1683571821010-HNJAU1Z0N7U4FE1JGU5B/Patch+Blog+-may.jpg') no-repeat;"></a>
                                

                              </a>
                          </div>
                        </div>
                        <h3 class="title" data-content-field="title">
                          
                            <a href="/blog/2023/5/8/the-may-2023-security-update-review">The May 2023 Security Update Review</a>
                          
                        </h3>
                         
                          <div class="listing-tags">
                            
                              <!--TAGS-->
                              
                                <a class="tag" href="/?tag=Security+Patch">Security Patch</a>,
                              
                                <a class="tag" href="/?tag=Adobe">Adobe</a>,
                              
                                <a class="tag" href="/?tag=Microsoft">Microsoft</a>
                            
                          </div>
                        
                      </div>

                  

                      <div class="column">
                        <div class="content">
                          <div class="thumb">
                              
                                
                                    <a href="/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-windows-dhcpv6-service"  style="background: url('https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1682974249551-8UQK5AT22B51FBL6MCES/light-black-and-white-railway-white-city-urban-959031-pxhere.com.jpg') no-repeat;"></a>
                                

                              </a>
                          </div>
                        </div>
                        <h3 class="title" data-content-field="title">
                          
                            <a href="/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-windows-dhcpv6-service">CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service</a>
                          
                        </h3>
                         
                          <div class="listing-tags">
                            
                              <!--TAGS-->
                              
                                <a class="tag" href="/?tag=Microsoft">Microsoft</a>,
                              
                                <a class="tag" href="/?tag=DHCP">DHCP</a>,
                              
                                <a class="tag" href="/?tag=Research">Research</a>
                            
                          </div>
                        
                      </div>

                  

                      <div class="column">
                        <div class="content">
                          <div class="thumb">
                              
                                
                                    <a href="/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal"  style="background: url('https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1682105855057-7649DQUNHCB6RS5G9OVH/writing-star-sign-goat-line-symbol-682838-pxhere.com.jpg') no-repeat;"></a>
                                

                              </a>
                          </div>
                        </div>
                        <h3 class="title" data-content-field="title">
                          
                            <a href="/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal">TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal</a>
                          
                        </h3>
                         
                          <div class="listing-tags">
                            
                              <!--TAGS-->
                              
                                <a class="tag" href="/?tag=TPLink">TPLink</a>,
                              
                                <a class="tag" href="/?tag=Pwn2Own">Pwn2Own</a>,
                              
                                <a class="tag" href="/?tag=Exploit">Exploit</a>,
                              
                                <a class="tag" href="/?tag=Threat+Hunting">Threat Hunting</a>
                            
                          </div>
                        
                      </div>

                  

            </div>
        </div>
    </div><!-- /. blog-listing -->
</div>
          </div>
        </section>

        
        
        

        

        <!--FOOTER WITH OPEN BLOCK FIELD-->
        <footer id="footer">
          <div id="footerContact">
    <div class="content">
        <div class="footerContactBox">
            <h3>General Inquiries</h3>
            <a href="mailto:zdi@trendmicro.com">zdi@trendmicro.com</a>
        </div>
        <div class="footerContactBox">
            <h3>Find us on Twitter</h3>
            <a href="https://twitter.com/thezdi">@thezdi</a>
        </div>
        <div class="footerContactBox">
            <h3>Find us on Mastodon</h3>
            <a rel="me" href="https://infosec.exchange/@thezdi">Mastodon</a>
        </div>
        <div class="footerContactBox">
            <h3>Media Inquiries</h3>
            <a href="mailto:media_relations@trendmicro.com">media_relations@trendmicro.com</a>
        </div>
        <div class="footerContactBox">
            <h3>Sensitive Email Communications</h3>
            <a href="https://www.zerodayinitiative.com/documents/zdi-pgp-key.asc" target="_blank">PGP Key</a>
        </div>
    </div>
</div>

<div id="footerMenu">
    <div id="footerMiddleSection" class="group">
        <div id="footerLinks">
            <div class="content">
                <div class="footerLinkBox">
                            <a href="https://www.zerodayinitiative.com/about" class="footerTitleLink">WHO WE ARE</a>
                            <ul>
                                <li><a href="https://www.zerodayinitiative.com/about">Our Mission</a></li>
                                <li><a href="https://www.trendmicro.com">Trend Micro</a></li>
                                <li><a href="https://www.trendmicro.com/en_us/business/products/network/integrated-atp/next-gen-intrusion-prevention-system.html">TippingPoint IPS</a></li>
                            </ul>
                        </div>
                        <div class="footerLinkBox">
                            <a href="https://www.zerodayinitiative.com/about/benefits" class="footerTitleLink">HOW IT WORKS</a>
                            <ul>
                                <li><a href="https://www.zerodayinitiative.com/about/benefits#process">Process</a></li>
                                <li><a href="https://www.zerodayinitiative.com/about/benefits#researcher-rewards">Researcher Rewards</a></li>
                                <li><a href="https://www.zerodayinitiative.com/about/faq">FAQS</a></li>
                                <li><a href="https://www.trendmicro.com/privacy">Privacy</a></li>
                            </ul>
                        </div>
                        <div class="footerLinkBox">
                            <a href="https://www.zerodayinitiative.com/advisories" class="footerTitleLink">ADVISORIES</a>
                            <ul>
                                <li><a href="https://www.zerodayinitiative.com/advisories/published">Published Advisories</a></li>
                                <li><a href="https://www.zerodayinitiative.com/advisories/upcoming">Upcoming Advisories</a></li>
                                <li><a href="https://www.zerodayinitiative.com/rss">RSS Feeds</a></li>
                            </ul>
                        </div>
                        <div class="footerLinkBox">
                            <a href="https://www.zerodayinitiative.com/blog" class="footerTitleLink">BLOG</a>
                        </div>

                        <div class="footerLogo">
                            <a href="https://www.zerodayinitiative.com/"><img src="https://www.zerodayinitiative.com/images/logo-footer.svg" alt="thezdi"/></a>
                        </div>
            </div>
        </div>
    </div>
</div>

        </footer>

        

    <!--INJECTION POINT FOR TRACKING SCRIPTS AND USER CONTENT FROM THE CODE INJECTION TAB-->

    <script data-sqs-type="imageloader-bootstrapper">if(window.ImageLoader) window.ImageLoader.bootstrap({}, document);</script><script>Squarespace.afterBodyLoad(Y);</script><svg xmlns="http://www.w3.org/2000/svg" version="1.1" style="display:none" data-usage="social-icons-svg"><symbol id="twitter-icon" viewBox="0 0 64 64"><path d="M48,22.1c-1.2,0.5-2.4,0.9-3.8,1c1.4-0.8,2.4-2.1,2.9-3.6c-1.3,0.8-2.7,1.3-4.2,1.6 C41.7,19.8,40,19,38.2,19c-3.6,0-6.6,2.9-6.6,6.6c0,0.5,0.1,1,0.2,1.5c-5.5-0.3-10.3-2.9-13.5-6.9c-0.6,1-0.9,2.1-0.9,3.3 c0,2.3,1.2,4.3,2.9,5.5c-1.1,0-2.1-0.3-3-0.8c0,0,0,0.1,0,0.1c0,3.2,2.3,5.8,5.3,6.4c-0.6,0.1-1.1,0.2-1.7,0.2c-0.4,0-0.8,0-1.2-0.1 c0.8,2.6,3.3,4.5,6.1,4.6c-2.2,1.8-5.1,2.8-8.2,2.8c-0.5,0-1.1,0-1.6-0.1c2.9,1.9,6.4,2.9,10.1,2.9c12.1,0,18.7-10,18.7-18.7 c0-0.3,0-0.6,0-0.8C46,24.5,47.1,23.4,48,22.1z"/></symbol><symbol id="twitter-mask" viewBox="0 0 64 64"><path d="M0,0v64h64V0H0z M44.7,25.5c0,0.3,0,0.6,0,0.8C44.7,35,38.1,45,26.1,45c-3.7,0-7.2-1.1-10.1-2.9 c0.5,0.1,1,0.1,1.6,0.1c3.1,0,5.9-1,8.2-2.8c-2.9-0.1-5.3-2-6.1-4.6c0.4,0.1,0.8,0.1,1.2,0.1c0.6,0,1.2-0.1,1.7-0.2 c-3-0.6-5.3-3.3-5.3-6.4c0,0,0-0.1,0-0.1c0.9,0.5,1.9,0.8,3,0.8c-1.8-1.2-2.9-3.2-2.9-5.5c0-1.2,0.3-2.3,0.9-3.3 c3.2,4,8.1,6.6,13.5,6.9c-0.1-0.5-0.2-1-0.2-1.5c0-3.6,2.9-6.6,6.6-6.6c1.9,0,3.6,0.8,4.8,2.1c1.5-0.3,2.9-0.8,4.2-1.6 c-0.5,1.5-1.5,2.8-2.9,3.6c1.3-0.2,2.6-0.5,3.8-1C47.1,23.4,46,24.5,44.7,25.5z"/></symbol><symbol id="youtube-icon" viewBox="0 0 64 64"><path d="M46.7,26c0,0-0.3-2.1-1.2-3c-1.1-1.2-2.4-1.2-3-1.3C38.3,21.4,32,21.4,32,21.4h0 c0,0-6.3,0-10.5,0.3c-0.6,0.1-1.9,0.1-3,1.3c-0.9,0.9-1.2,3-1.2,3S17,28.4,17,30.9v2.3c0,2.4,0.3,4.9,0.3,4.9s0.3,2.1,1.2,3 c1.1,1.2,2.6,1.2,3.3,1.3c2.4,0.2,10.2,0.3,10.2,0.3s6.3,0,10.5-0.3c0.6-0.1,1.9-0.1,3-1.3c0.9-0.9,1.2-3,1.2-3s0.3-2.4,0.3-4.9 v-2.3C47,28.4,46.7,26,46.7,26z M28.9,35.9l0-8.4l8.1,4.2L28.9,35.9z"/></symbol><symbol id="youtube-mask" viewBox="0 0 64 64"><path d="M0,0v64h64V0H0z M47,33.1c0,2.4-0.3,4.9-0.3,4.9s-0.3,2.1-1.2,3c-1.1,1.2-2.4,1.2-3,1.3 C38.3,42.5,32,42.6,32,42.6s-7.8-0.1-10.2-0.3c-0.7-0.1-2.2-0.1-3.3-1.3c-0.9-0.9-1.2-3-1.2-3S17,35.6,17,33.1v-2.3 c0-2.4,0.3-4.9,0.3-4.9s0.3-2.1,1.2-3c1.1-1.2,2.4-1.2,3-1.3c4.2-0.3,10.5-0.3,10.5-0.3h0c0,0,6.3,0,10.5,0.3c0.6,0.1,1.9,0.1,3,1.3 c0.9,0.9,1.2,3,1.2,3s0.3,2.4,0.3,4.9V33.1z M28.9,35.9l8.1-4.2l-8.1-4.2L28.9,35.9z"/></symbol></svg>
    </div> <!-- end #innerWrapper -->
    </div> <!-- end #outerWrapper -->
    <script src="https://www.zerodayinitiative.com/js/main.js"/>
  </body>

</html>
